CVE-2018-7685

HIGH

libzypp <17.5.0 - Info Disclosure

Title source: llm

Description

The decoupled download and installation steps in libzypp before 17.5.0 could lead to a corrupted RPM being left in the cache, where a later call would not display the corrupted RPM warning and allow installation, a problem caused by malicious warnings only displayed during download.

References (3)

[Issue Tracking] https://bugzilla.suse.com/show_bug.cgi?id=1091624

[Various Sources] https://www.suse.com/de-de/security/cve/CVE-2018-7685/

[Various Sources] http://lists.suse.com/pipermail/sle-security-updates/2018-August/004510.html

Scores

CVSS v3 7.8

EPSS 0.0007

EPSS Percentile 21.9%

Attack Vector LOCAL

CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Details

CWE

CWE-358 CWE-347

Status published

Products (1)

opensuse/libzypp < 17.5.0

Published Aug 31, 2018

Tracked Since Feb 18, 2026